Read as
Why this module exists. Windows Event Logs are the densest forensic data source on a Windows endpoint or domain controller. Every logon, every process launch, every PowerShell command, every credential operation leaves a trace — if you know which event ID to look for. This module is the IR-grade event-log reference: what to query, how to find lateral movement, and how to spot the cleanup attackers do.
Why this module exists. The defender’s biggest leverage in any Windows IR is the event log. The attacker’s biggest leverage in the same IR is knowing which events to clear. This module gives you the canonical event IDs, the queries that surface attacker activity, and the gaps that tell you something was cleaned.
The seven event logs that matter
| Log | Why |
|---|---|
| Security | Logons, account changes, privilege use |
| System | Service starts/stops, time changes, system events |
| Application | Application errors, but also AV alerts, exploitation crashes |
| Microsoft-Windows-PowerShell/Operational | PowerShell module / script-block logging |
| Microsoft-Windows-Sysmon/Operational | Process creation, network connections, file creation — gold |
| Microsoft-Windows-TaskScheduler/Operational | Scheduled task creation — common persistence |
| Microsoft-Windows-TerminalServices-LocalSessionManager/Operational | RDP session connections, even when network logon fails to log |
Worried about your exposure?
Get a free attack-surface review
We check what an attacker would see about your business — leaked credentials, exposed services, dark-web mentions. 30 minutes, no obligation.
Book exposure review
Replies in 4 working hrs · India-only · Senior consultants